User permissions in Aesthetix CRM control exactly what each team member can see, access, and manage inside your account. Because Aesthetix CRM is used in HIPAA-compliant environments, it is critical that users only have access to the features and data required for their role.
Poorly configured permissions increase risk, expose sensitive patient data, and can allow unintended actions such as data exports, bulk messaging, or workflow changes. This guide walks through how permissions work, how to configure them, and best practices for securing your account.
To manage permissions:
Go to Settings
Select My Staff
Edit an existing user or click Add User
When creating or editing a user, all permissions are managed inside the Roles and Permissions section.
When adding a user:
Name and Email are required
Phone number is optional but recommended
Use the user’s mobile number
Enables SMS-based two factor authentication
Every user must have a unique email address
Once basic details are added, permissions are configured under Roles and Permissions.
Has access to all system features by default
Can manage settings, integrations, data, users, exports, automations, and payments
Should only be assigned to trusted leadership or system owners
Has some built-in restrictions compared to Admin
Still includes many powerful permissions
Requires careful permission configuration
Important: Both Admin and User roles still start with all permissions enabled by default. You must explicitly disable what a user should not access.
This setting limits a user’s access to only the data assigned to them.
Common use cases:
Sales teams who should only see their own leads
Multi-location setups where staff should only see location-specific data
Important considerations:
Can create operational challenges when covering for absent staff
May require reassignment of contacts or opportunities when roles change
Below is a breakdown of the most important permission groups and when to enable or disable them.
Controls access to AI Employee features including conversation AI and voice AI.
Recommendations:
Disable for most staff
Enable only for users managing AI configuration or reviewing AI conversations
You can allow access to Conversation AI Dashboard only without full AI management
Note: If users click a feature they do not have permission for, they will be redirected back to the dashboard.
Includes:
View and manage tags
View and manage system settings
Recommendation:
Restrict to admins only
Most staff should not access account-level settings
Includes Content AI and legacy tools.
Recommendation:
Enable Content AI only for marketing users
Legacy tools can be ignored
Includes:
View workflows
View and manage workflows
Recommendations:
Most users should have View only
Only admins or automation managers should have edit access
Campaigns and Triggers are legacy tools and not used on current accounts
Controls access to:
Viewing appointments
Managing appointments
Managing calendars
Important notes:
Primarily used by plastic surgery practices with pre-qualified calendars
EMR appointments do not flow into these calendars
Recommendation:
Allow view access where needed
Restrict calendar editing unless required
One of the most sensitive permission sets.
Includes:
Viewing contacts
Bulk actions
Import and export access
Critical security note:
Bulk actions allow mass SMS, email, imports, and exports
Export access allows data extraction from your system
Recommendation:
Disable entirely for users who do not need contact access
Grant bulk and export permissions only to trusted users
Controls access to the inbox.
Recommendation:
Enable only for users handling inbound and outbound communications
Disable for users without messaging responsibilities
Includes:
Viewing and managing forms
Managing landing pages and websites
Recommendation:
Enable for marketing users
Disable for clinical, front desk, or sales-only roles
Controls access to native integrations such as EMRs, ads, and analytics.
Recommendation:
Admin-only
Incorrect changes can break data flow
Includes:
Social planner
Ad manager
Prospecting tools
Affiliate manager
Recommendation:
Disable for non-marketing staff
Front desk and sales roles should not have access
Controls access to uploaded files and media.
Recommendation:
Enable only if needed for marketing or messaging
Disable for most roles
Highly sensitive permission set.
Includes:
Viewing opportunities
Bulk actions
Import and export
Viewing opportunity values
Best practices:
Enable only for sales and leadership roles
Disable opportunity value visibility if sales staff should not see revenue
Restrict bulk actions unless necessary
Includes:
Payments
Orders
Invoices
Products
Payment settings
Taxes
Transactions
Important:
Disabling Payments removes access to all related sub-permissions
Recommendation:
Disable by default
Enable only for finance or ownership roles
Includes:
Viewing dashboards
Managing dashboards
Exporting data
Managing reports
Recommendation:
Remove export permissions unless explicitly needed
Reporting management should be limited to leadership or analytics roles
Controls access to:
Reviews
Responding to reviews
Reviews AI
Recommendation:
Enable only for staff responsible for reputation management
Disable for general users
Once you configure permissions for one user, you can reuse them.
How it works:
Use Copy Permissions
Select an existing user
Apply the same permission set to a new user
This is ideal for:
Front desk roles
Sales roles
Marketing roles
Multi-location teams
Never leave default permissions enabled
Apply the principle of least privilege
Limit bulk actions and export access
Review permissions quarterly
Use role-based permission templates
Restrict Admin access aggressively
User permissions are one of the most important security and operational controls in Aesthetix CRM. Proper configuration protects patient data, prevents costly mistakes, and ensures your team can work efficiently without unnecessary risk.
If you are unsure about a permission or role setup, contact your Aesthetix CRM support team before enabling access.
